I'm running drupal 4.6, and have run into a problem with access control. While nodes themselves are access controlled---and in particular, I can restrict "anonymous users" from access to the nodes---I can't figure out how to restrict access to the blocks on the sidebars. I am managing a book node, and one of the blocks is the book outline. Each book page shows "access denied" to any anonymous user; however, such an anonymous user will see the book outline, and can navigate through it to learn all of the section headings etc., which is a privacy violation I would like to prevent.

Comments

sepeck’s picture

You will need to play around with custom blocks to accomplish this.
Here's an example in the handbook
http://drupal.org/node/27690

-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

karger’s picture

This seems like it would work, IF there were an easy way for me to "wrap" another block inside my own. I tried the obvious step of calling book_block and returning the result, but that produced junk. What should I do instead?

chx’s picture

Will solve this by letting you code visibility. All hail Dries for this fine idea.
--
Read my developer blog on Drupal4hu.

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

sami_k’s picture

Hail Dries! ;)
--
Please read the handbook, search the forums, then ask...
http://drupal.etopian.net (Modules and Drupal Services)

karger’s picture

OK, I've gotten what I needed with the book module, but I had to write a custom block to do it. This seems questionable. It seems that by default, any time someone implements a block and it gets enabled, it can be viewed by anonymous users. This can only be prevented if the block developer thinks to do their own access control checking, or if one writes custom block code for each block he wishes to enable. This lack of a centralized permission mechanism for blocks seems a real access-control hole. At the very least, shouldn't there be some kind of "view blocks" permission that can be granted to or withheld from various roles?